The log name above reflects an enabled log type in your StreamAlert deployment. These are also top level keys in the logs.json.

For example, if you have ‘cloudwatch’ in your sources, you would want to create tables for all possible subtypes. This includes cloudwatch:control_message, cloudwatch:events, and cloudwatch:flow_logs. The : character is not an acceptable character in table names due to a Hive limitation, but your arguments can be either cloudwatch:eventsorcloudwatch_events. Both will be handled properly by StreamAlert.